Quantum cryptography: yesterday, today, and tomorrow

Does it have a future? Classic cryptology isn't budging, but all depends on QKD.

Quantum cryptography is one of those amazing tools that came along before anyone really asked for it. Somehow there are companies out there selling very high end, and "provably secure" cryptography gear, all based on fundamental principles of quantum mechanics. Yet, despite being fundamentally unbreakable, there have been quite a few publications on more-or-less practical ways for Eve to eavesdrop on people whispering quantum sweet-nothings in darkened rooms.

As a bemused onlooker, I jumped on the TGV train from Paris to journey to the heart of quantum key distribution (QKD): Geneva. Geneva is where QKD was deployed in real-world demonstrations, it is the base of Id Quantique, a company that specializes in quantum physics based security products, and it is home to University of Geneva's GAP-Optique, a power house of quantum optics research.

My goal was to discover what all the fuss was about. Who buys a QKD distribution system? Why do they bother? If QKD becomes ubiquitous, where is the battle between white and black hats going to be played out, and how will that battle change? What is the future of QKD research?

A quantum eavesdropper

As the train pulled out of Paris Lyon, I contemplated, with a certain amount of reluctance, the ins and outs of current cryptography methods. Well, actually, there are myriad ways to secure data. So, I was only actually thinking about current commercial asymmetric key systems. Using broad brush strokes, we can divide the world of encryption into two classes: secret keys, and public/private keys. In the public/private key system, I have two keys—one of which I keep at home under the pillow, while the other is public. Now, if someone wants to send me an encrypted message, they use my public key to scramble the data, and I use my public and private keys to unscramble said data.

The prime recipe (Warning: math ahead)

The main requirement for a good public/private key system is that one should not be able to derive the private key from the public key. RSA algorithms (named for the trio of inventors) are one tool for creating such keys, so let's take a look at how this works:

We also need a second number, given by the product of p-1 and q-1 (p-1)(q-1) = 192. Now, in the range of 1-192, choose any number under the condition that its lowest common denominator with 221 is one. Let's choose seven.

Now it's time to calculate our key using these numbers. To do so, repeatedly calculate (p-1)(q-1)(1,2,3,...) + 1 until you get a number that is divisible by our chosen number (seven in our case). Filling in the integers one, two, three, etc, we get: 193, 385, 576,... In our case 385 is divisible by seven (giving 55).

We then have two keys: {7, 221} and {55, 221}. But without the values of the prime numbers used to calculate 221, it is not possible to use either key to derive the other. You do, however, know the product of the two prime numbers used to generate the key (221 in this case), so it is possible to figure this out by simply trying to factorize the product.

It turns out that this is no easy task. I wrote a simple script to test how finding prime factors scales with the size of the factor. It's a simple brute force calculation, which is not optimized, and the absolute times are probably dominated by the time it takes to load up Python and the required libraries. But, the actual time is not important. The thing to note is how fast the time increases with the size of the product.

In an ideal world, as the size of the product increases by an order of magnitude, the time taken to find the key should increase by at least an order of magnitude. However, even for my dumb script, it takes an increase in the order of magnitude of each prime—or two orders of magnitude in the product, if you will—to gain a single order of magnitude in the increase in the time it takes for the prime factors to be found. Now, of course, this is only the first step, the hacker still needs to guess a second number. That is, in general, a much simpler task.

Where we win is that the time taken to calculate the key is pretty much independent of the size of the prime factors used to generate the key, so, we can always choose primes large enough to make it impractical to factorize the product. And, this is why the bit length of keys used by asymmetric key generators is so long.

Shor's in da house

Okay, so, my script was really dumb. Others would, and no doubt have, found ways to optimize it. In the end, no optimization can win against a sufficiently large pair of prime numbers. This is where quantum information technologies play their role. Shor discovered that the game of finding prime factors is one that a quantum computer may be able to do efficiently. Ever since, Shor's algorithm has been the bugbear driving both QKD technology, and new classical cryptography approaches.

So, how does Shor's algorithm work? To be honest, that is really hard to describe. A situation not helped by the fact that, although I know a fair bit about quantum mechanics, I come at this from an entirely different direction than those studying quantum information technology. Needless to say, the following description will be fairly basic.

Imagine you have a product of two prime numbers, say, 221. Now, we set that number to be an endpoint—for the purposes of our game, there are no higher integers. If we multiply two numbers together and get a number larger than 221, it wraps around, so 15 times 15 results in 225-221 = 4. If we multiply two by itself, we only get four, which doesn't wrap, and we can do that 7 times before it wraps. But 28 results in 35. Got that? Great.

That is the numbers game, but in terms of physics, this looks like how waves fit in an optical cavity. The idea is that an integer number of half wavelengths must fit between two mirrors that face each other for that wavelength of light to be a mode. If the wavelength is a little too long or too short, then, when it travels from one mirror, to the other, and back to the start, it has a slightly different phase than when it began. The result is the wave does not add up in phase with itself, and, to some extent, destructively interferes with itself. In the end, these wavelengths fade out and don't stay between the two mirrors, while those that fit are reinforced and build up.

Put another way, every wavelength that is not precisely right gathers a small amount of extra phase every time it travels around the cavity. Shor's algorithm takes the job of finding the factors of large numbers and turns it into a the problem of estimating how much phase is accumulated by a wave travelling back and forth between two mirrors. If two numbers multiplied together are too large or two small, then they produce an error value. In the physical implementation, this is a phase error, resulting in destructive interference.

Quantum superposition

Superposition is nothing more than addition for waves. Let's say we have two sets of waves that overlap in space and time. At any given point, a trough may line up with a peak, their peaks may line up, or anything in between. Superposition tells us how to add up these waves so that the result reconstructs the patterns that we observe in nature.

In practice (or actually, not, since no one has more than a toy model), one uses a classical algorithm to produce a list of potential factors. So, for 221, you eliminate pairs like 112, leaving a bunch of potential factors. The quantum part relies on the fact that a quantum bit (qubit) can be in a superposition of different values. Instead of logical one or zero, the qubit takes on a value between zero and one which represents the probability of evaluating the qubit as a logic one when measured.

Quantum operations then modify the probability of each qubit being a logic one. A string of eight qubits represents every value from 0-255 in parallel. But if you were to measure the value of the qubit register, you would get just one value, with the chance of each value determined by the probability amplitudes of the qubits in the register.

As we run Shor's algorithm, the qubits go through a series of operations that lead to their states interfering. The nature of that interference—constructive or destructive interference—depends on whether the value held by the register is a factor of, in our case, 221. Destructive interference reduces the probability of the register returning that value when it is measured, while constructive interference increases the probability. Because we examine all possible factors simultaneously, this process has the potential to be much faster than existing methods for finding factors.

Let's consider a consequence of using phase to calculate prime factors: 221 has prime factors 17 and 13, and factors 1 and 221. We can eliminate the latter in the classical part of our algorithm. But, what about two and 111? "Wait," you say. "That is not a factor. The product is 222." Nevertheless, we need to think about it, because quantum algorithms are probabilistic. 17 and 13 have the highest probabilities, but two and 111 only have a phase error of 0.5 percent. The probability of Shor's algorithm returning the incorrect result is rather high. Unfortunately, a near miss (though easy to spot, since it is very quick to calculate that 2×111=222 not 221). This is likely not very useful in terms of decrypting a message, so we need to do something to increase the chance of getting the correct answer.

This can be done in two ways. You can run the same calculation many times and use the statistics of the results to determine the most probable, and, therefore, correct answer. Or equivalently, you can take the unmeasured results from the first calculation and use it as the start for a repeat calculation. Think of our nearly-right answer (two and 111). This has a phase error of one part in 221 after one iteration of the calculation. But, if we perform the calculation a second time, the phase error accumulates, so it increases to two parts in 211. Essentially, after every iteration, the probability of the correct answer increases, while all the probability of the close-but-no-cigar results reduce.

Ahh, thanks xoa—I forgot to remove those graph references. Ultimately Chris thought they wouldn't add to the piece so we went on without them. Hope things aren't unclear without them.

No problem, it was still excellent, and given the information density a few things slipping through is to be expected. I would be curious to see a bit more depth on lattice-based crypto though. I vaguely recall seeing an announcement from IBM that mentioned it a few years back, but otherwise this is the first mention I've seen in quite a while. What is the current state-of-the-art there? I'd also be curious about your opinion on potential approaches using classical physics like KLJN (a recent example being the arXiv presentation earlier this year "Information theoretic security by the laws of classical physics"). That approach also uses privacy amplification to handle non-ideal conditions, and is directly compared to QKD. I'm not sure how scalable it is either, though one paper (which I don't have access to) by Mingesz et al indicates potential range of up to 2000km.

I guess it's probably also worth remembering that, in the midst of all these elegant technological problem solving methods there are a few backups in the worst case, at least for some applications. Improvements to classical cryptography would be really nice period, and critically important for general distributed security and commerce. Classical crypto has the all important property of scalability, and that matters. But for specific applications like data center backups OTP will always be there as a perfectly secure (from a mathematical POV) fallback, either direct or used in a hybrid system to secure symmetric key exchange. To take the direct case, by my math a standard 53' semitrailer well packed (10% packing by volume) with 3.5" drives can carry around 1 exabyte at current capacities. In a first world country at least an armored transport being "intercepted by Eve" is going to be reasonably detectable, so it should be possible for data centers or other centralized locations to simply keep huge entropy pools on hand and refresh them via freight. Hybrid is even simpler though, then a single courier can carry all the entropy necessary to transmit a lot of symmetric keys.

The article states " At some point in the future, the public key becomes vulnerable due to the increase in computing power, allowing the stored data to be decrypted." However, it seems that with a sufficiently large enough key, the entrophy can be such that it exceeds the capabilities of the possible universe to calculate (or at least delay such an event for the foreseeable future).

The article states " At some point in the future, the public key becomes vulnerable due to the increase in computing power, allowing the stored data to be decrypted." However, it seems that with a sufficiently large enough key, the entrophy can be such that it exceeds the capabilities of the possible universe to calculate (or at least delay such an event for the foreseeable future).

That's the whole point of Quantum Computing. If we get enough working qubits, they may provide an order of magnitude speedup that makes using sufficiently large keys unfeasible.

I was lost after the beginning, the article first talk about the current public key (RSA) and then that with quantum computing someone can break that easily. And then talks about quantum for distributing a key. But they're two different things or not? Probably I don't understand much...If it's just communicating a key securely there should be simpler ways...

For everyone who simply wants to understand the "The prime recipe" paragraphs, I seriously recommend watching this youtube video. It's remarkably well done and begins by explaining this concept with colours and only then explaining with numbers.

For those that weren't aware, IBM's work from 2003 (?) includes an entirely different monster known as homomorphic encryption, or the idea that we can compute functions of encrypted data without decrypting it. Unlike secure multiparty computation, homomorphic encryption requires that you know the key in order to decrypt the answer. Secure multiparty computation relies on threshold encryption schemes to get its work done. For those that now have much more to research, you're welcome.

I now need to research if there is a straight symmetric encryption scheme based on lattices, even though I have no clue how mathematical lattices work.

I remember reading that QKD is susceptible to man in the middle attack though.

Not with privacy amplification - it's possible to mathematically prove how much information the middleman (Eve) has intercepted, and then remove that information when you generate your key.

Yeah, a straight forward man in the middle attack gives Eve, at most, one half of the bits. Privacy amplification reduces that by a power of two with each step.

Now, a man in the middle attack, combined with a side channel attack on the detectors can give Eve the entire key, and no amount of privacy amplification will help in this case, so it is really the side channel stuff that you have to worry about

Great article. The real-world practicality of both QKD and quantum decryption varies quite markedly from the way it is described in theory. I always had the impression that RSA would be broken essentially instantly by a quantum computer. Looks more like breaking large-key RSA becomes possible, but still not instantaneous.

But I guess I didn't understand one part. If QKD merely generates session keys, isn't it still susceptible to later decryption if the algorithm is vulnerable to quantum computers? Or is such vulnerability only a concern for asymmetric key systems?

I now need to research if there is a straight symmetric encryption scheme based on lattices, even though I have no clue how mathematical lattices work.

To the best of my understanding, post-quantum computer crypto research focuses exclusively on asymmetric encryption, because most symmetric ciphers are secure from quantum computers. Lattice-based crypto is asymmetric.

Chuckstar wrote:

I always had the impression that RSA would be broken essentially instantly by a quantum computer. Looks more like breaking large-key RSA becomes possible, but still not instantaneous.

The problem is that "possible" and "nearly instant" in practice have to be assumed to be about the same thing. The approaches are scalable in principle, so even if it initially takes 1000 years or something, only a few increases in power and it's down to a year, weeks or days, and then hours, etc. If a scheme isn't wholly computationally infeasible then the safe bet to make is that it'll become trivially tractable sooner or later, hence the research.

Granted, it's possible that for unforeseen reasons quantum computers will not in fact prove as scalable as hoped for or there will be other hiccups, but cryptography doesn't work by assuming things will just happen to work out. If it does scale, then Shor's would basically allow finding a secret key as fast as the user could apply it.

Quote:

But I guess I didn't understand one part. If QKD merely generates session keys, isn't it still susceptible to later decryption if the algorithm is vulnerable to quantum computers? Or is such vulnerability only a concern for asymmetric key systems?

See above, yes in essence the major risk from quantum computers applies to asymmetric systems. Again by my understanding (I hope the author will correct me if I'm wrong!) there is an algorithm that can be used to speed up attacks on symmetric systems (Grover's) but unlike Shor's it's countered just by quadrupling key size. It's not exponential but instead offers a square-root attack speedup.

So as long as keys can be securely exchanged a symmetric system can then take over. That is not a trivial problem though, and it's why asymmetric crypto was such a big deal in the first place.

I always had the impression that RSA would be broken essentially instantly by a quantum computer. Looks more like breaking large-key RSA becomes possible, but still not instantaneous.

The problem is that "possible" and "nearly instant" in practice have to be assumed to be about the same thing. The approaches are scalable in principle, so even if it initially takes 1000 years or something, only a few increases in power and it's down to a year, weeks or days, and then hours, etc. If a scheme isn't wholly computationally infeasible then the safe bet to make is that it'll become trivially tractable sooner or later, hence the research.

"Possible" and "nearly instant" are only the same thing if you're asking the question "will this archive be permanently unencryptable?" It's not the same thing if you're asking "how long until we have to replace existing systems for encrypting online transactions?" Generally, we accept the risk that if the full session of an online transaction were stored by a third-party eavesdropper, a crack might eventually be available that would reveal the full content. What we are most worried about with on-line transactions, though, is that someone would be able to decrypt the session soon enough to use the credit card number or account credentials before they expire.

So if you told me "the first quantum computer is out, it would take 1,000 years to decrypt your credit card number from an online transaction", then I'd think "they really need to speed up replacement of the SSL algorithm, because it's only going to be a couple hardware generations until they get that fast enough to intercept my credit card number".

But if you told me "the first quantum computer is out, it can decrypt your credit card number in 1 second", then SSL becomes immediately useless.

From a practical "what should I be worried about in the near term" basis, those two scenarios seem pretty different to me. As a user, that is. The crypto research guys seem to be thinking further ahead than I am, as is their role in this regard.

"Possible" and "nearly instant" are only the same thing if you're asking the question "will this archive be permanently unencryptable?"

No. Quantum computers scale exponentially with the number of quibits. Unlike classical, their basis is 2^n (where n is the number of quibits). That means an increase factor of 1000, for example, is only a matter of adding an extra 10 quibits. 20 could hold 1 million more values, etc. If the systems can be scaled at all then it's likely to be both rapid and importantly could potentially be private on the cutting edge, unlike classical systems.

The other thing is problem subdivision. If that's possible, then even if it's hard to go from X quibits to Y quibits, an organization with enough resources could simply (and secretly) buy more of them.

Quote:

So if you told me "the first quantum computer is out, it would take 1,000 years to decrypt your credit card number from an online transaction", then I'd think "they really need to speed up replacement of the SSL algorithm, because it's only going to be a couple hardware generations until they get that fast enough to intercept my credit card number".

But if you told me "the first quantum computer is out, it can decrypt your credit card number in 1 second", then SSL becomes immediately useless.

The problem here comes from determining whether, in fact, we'll have warning. With current standard computing the possible ranges are always very clear. I'm not sure that'll be the case with quantum though.

Good article, very informative, but is there something funky going on with the description of privacy amplification?

The article wrote:

But, there is a trick that eliminates this problem. Imagine we have a very poor source and Eve is able to accurately capture five percent of the bits sent along the line. In a 160 bit sequence, she will have eight bits, and, because each bit is independent, we can reasonably expect that there are two instances where she knows the value of two adjacent bits. Now, if Alice and Bob perform a mathematical operation on adjacent pairs of bits, the sequence is reduced to 80 bits, but there are only two locations in the original string where Eve might know both bit values for the operation.

So, originally, Eve knew five percent of the bits, now, at best, she knows two out of eighty bits—2.5 percent of the key. In fact, it is even better than that, because, we do not know the starting position in the bit sequence for the mathematical operation. So for each bit pair, there is a 50 percent chance that Eve has both bits. That means there is a 25 percent chance that Eve knows 2.5 percent of the key, and a 50 percent chance that she knows 1.25 percent of the key.

If there is a 160 bit sequence and Eve is assumed to know exactly 8 bits from the sequence, then the best she can do under any complete pairwise partitioning of the original sequence to an 80 bit sequence is 4 bits. For example, if we use adjacent bits starting from a known position then Eve might (with vanishing probability) know the first 8 bits, and therefore 4 bits in the reduced key. That would be 4/80, or 5% again. In general the best case is that all 8 bits belong to a box with one of the other known bits.

Clearly Eve's "best case" isn't really what is described nor what we should be interested in. What about the average case for Eve's retention of knowledge? Given an arbitrary partitioning of the 160 bit key into 80 2 bit boxes we therefore want the average number of boxes for which she knows both bits. I simulated this for 1,000,000 160 bit sequences and on average each sequence had ~.176 adjacent bits known by Eve, or on average .176/80*100=.22% of the string known to Eve, a typical suppression of more than an order of magnitude. In the simpler case of a 40 bit sequence with exactly two bits known to Eve (so she again knows 5% of the original sequence) the probability of both known bits being in the same box is trivially 1/39, and the probability that Eve knows no pairs of adjacent bits is 38/39, so that on average Eve knows 1/39~=.0256 adjacent bits of the original sequence, or about .0256/20*100=.128% of the reduced 20 bit sequence.

In the article, however, it says that "we can reasonably expect that there are two instances where she knows the value of two adjacent bits." Unless I've missed something critical (always a possibility), I don't see how to square the math of average known bits with this statement that to me suggests the expectation value. Is this supposed to represent a reasonable upper bound ("at most two instances") on Eve's knowledge since the probability of Eve knowing more than two adjacent pairs of bits is very small? Given that cryptographic schemes should be safe against "reasonable" worst-case scenarios that seems a very sensible thing to do. In my simulation of 160 bit sequences Eve knew 3 or more adjacent pairs in about 100 trials, so the probability is roughly 1/10000. In that case we could say that the article's analysis of the maximum information Eve retains is accurate with probability 9999/10000, and acknowledge that on average she will actually retain much less information than this pseudo-upper bound suggests. I hope the author can clarify this point of an otherwise very enjoyable read!

A lot of trouble to go through for a Quantum Leap reference Aurich, were you not able to just edit the Quantum Leap text and use the main background for the show due to copyright reasons? (btw i'm 22 so that showed aired before my time, and I just started watching it on Netflix, pretty awesome show that has tear jerker moments)

"Possible" and "nearly instant" are only the same thing if you're asking the question "will this archive be permanently unencryptable?"

No. Quantum computers scale exponentially with the number of quibits. Unlike classical, their basis is 2^n (where n is the number of quibits). That means an increase factor of 1000, for example, is only a matter of adding an extra 10 quibits. 20 could hold 1 million more values, etc. If the systems can be scaled at all then it's likely to be both rapid and importantly could potentially be private on the cutting edge, unlike classical systems.

The other thing is problem subdivision. If that's possible, then even if it's hard to go from X quibits to Y quibits, an organization with enough resources could simply (and secretly) buy more of them.

Quote:

So if you told me "the first quantum computer is out, it would take 1,000 years to decrypt your credit card number from an online transaction", then I'd think "they really need to speed up replacement of the SSL algorithm, because it's only going to be a couple hardware generations until they get that fast enough to intercept my credit card number".

But if you told me "the first quantum computer is out, it can decrypt your credit card number in 1 second", then SSL becomes immediately useless.

The problem here comes from determining whether, in fact, we'll have warning. With current standard computing the possible ranges are always very clear. I'm not sure that'll be the case with quantum though.

My understanding is that you don't get the speedups in quantum computing when you subdivide. Two quantum computers can only do the work twice as fast. And early systems are likely to be supercomputer-style expensive. So buying a thousand of them is not going to make sense just to break some credit card numbers.

Potential problems with adding qubits is also going to be a major issue. Quantum computing theory talks about qubits as discrete objects that interact with each other in ideal ways. In the real world, it is likely that adding any qubits will require the iteration of a full generation of the technology. And this will still be very expensive, specialized technology. You wouldn't want to be sending state secrets around using RSA after the first quantum computer is announced (even if it does take 1,000 years to break a single cipher), but you'll still be fine with credit card numbers at that 1,000 year mark.

We'll certainly get some kind of warning. We know these things are going to be wicked hard to build. Again, quickly after it works in a lab I'd expect NSA to have access to it, but not hackers stealing credit card numbers.

I remember reading that QKD is susceptible to man in the middle attack though.

Not with privacy amplification - it's possible to mathematically prove how much information the middleman (Eve) has intercepted, and then remove that information when you generate your key.

Yeah, a straight forward man in the middle attack gives Eve, at most, one half of the bits. Privacy amplification reduces that by a power of two with each step.

Very good article! However, there may have been a slight confusion in the terminology used in the above comments. Any quantum cryptographic protocol in itself is indeed susceptible to a man in the middle attack (MiMA) regardless of privacy amplification. In MiMA, Eve cuts the quantum channel (say, the optical fiber) to isolate Alice and Bob. Then she independently communicates with Bob [Alice] while pretending to be Alice [Bob]; to elaborate further, Eve exchanges two sets of secret keys with each of Bob and Alice.

This is different from an intercept and resend attack (IRA), in which the eavesdropper attempts to establish the same secret key which Alice and Bob would obtain at the end of the protocol. The steps for IRA are: 1. Eve intercepts the quantum states (photons) sent by Alice to Bob, 2. makes a measurement on them (using e.g. the same equipment as Bob would) and then,3. depending on the measurement results, prepares new states to (re)send to Bob.

The dependence clause in Step 3 above is what makes IRA starkly different from MiMA.

As such, a simplistic IRA should always result into some errors (e.g.: 25% for BB84 protocol) that can be detected by Alice and Bob and so, they can discover the presence of Eve. But using side-channel loopholes etc., these errors could be brought below the "alarm threshold" for Alice and Bob (e.g.: the ID Quantique QKD system sets its error threshold around 8%), thus breaking the security of QKD. One can check this link: http://arxiv.org/abs/1206.7019 to know more about attacks on QKD.

Finally, MiMA can be circumvented as long as Alice and Bob can somehow authenticate each other. This means that Alice knows for sure that she is talking to Bob and vice-versa. In QKD, this is regularly achieved by means of a classically-authenticated channel; note that on such a channel, Eve is allowed to *read* anything but not be able to *modify* that. Search "Wegman Carter" for more information.

Btw, it is somehow ironic but the security of a classically-authenticated channel is based on a public/private key cryptography. So if the beasts-that-threaten-classical-cryptography a.k.a. quantum computers indeed become a reality, then even QKD would have a problem!

Chris Lee / Chris writes for Ars Technica's science section. A physicist by day and science writer by night, he specializes in quantum physics and optics. He lives and works in Eindhoven, the Netherlands.